Please enter your company public IP in the format as “ip4:xxx.xxx.xxx.xxx” in the field “Condition to allow access”. The “111.111.111.111” is only an example IP address, please do not enter. In order to restrict access to users that have Pass Cookies, please add the “has_pass:true” as a required condition for users locating outside the company network.

Please enter “login_name:test” in the fields “Condition to change OTP secret”, “Condition to change OTP notification email” and “Condition to access to secure browser control panel” for the granting the user “test” the permission to configure OTP, OTP Notification Email Settings and Secure Browser Control Panel. “false” is to ensure that only the user “test” has the permission to make the changes.

Step 4 – Delegating an existing user to the “Test Policy Group”.

Click on the “Edit” icon to configure an existing user account:

Select the “Test Policy Group” that was previously created under the field “Access Policy Group” and click on “Save” to finish the setup.

Step 5 – Setup the Pass-Cookie Issue condition

Click on the “Domain Setting”, “Other Settings” and then click on the “Edit” button.

Select the “Enable” and enter the “ip4:111.111.111.111” in the field. Click on “Save”.

After you have created the new "Access Policy Group" and configured the user “test”, you are ready to test the login.

Access Control Testing (Access Policy Group)

A1. Can I login from an external IP network without a Pass-Cookie?

“No”, according to the “Test Policy Group”, users not in the company network and does not possess a Pass-Cookie are not allowed to login.

Step 1 – Connect from an external IP network.

In this example, the corporate network is “111.111.111.111”, so please login from any network except the “111.111.111.111” IP address.

Step 2 – Login to any cloud service such as the Access Control User Console at the URL

https://ap.ssso.hdems.com/portal/your.domain/login

You will be denied access because “Test Policy Group” does not allow users to access from an external network without a Pass-Cookie.

A2. Can I login to the cloud service from an external network with a Pass-cookie?

“Yes”, according to the access policy group, users are allowed to login from an external IP with a Pass-Cookie.

Step 1 – Connect to the internet from the corporate network.

In this example, the corporate network is “111.111.111.111”, thus please connect to the internet within the corporate network with the IP address “111.111.111.111”.

Step 2 – Obtain a Pass-Cookie by logging to a Cloud service.

For example, you can login to the Access Control User Console at https://ap.ssso.hdems.com/sso/your.domain/login

When users are successfully logged in, the system will issue a Pass-Cookie saved in the browser for the user to login to the cloud services from an external network. You can extend the life-span of the Pass-Cookie; however, the Pass-cookie has an expected life-span of 7 days in this example.

Step 3 – Connect to the internet outside the corporate network.

In this example, the corporate network is “111.111.111.111”, thus please connect to the internet outside of the “111.111.111.111” IP address.

Step 4 – Login to any cloud service to test the access.

You will be able to successfully login despite being outside the corporate network, because you possess a valid Pass-Cookie.

A3. Will I be asked to enter an OTP PIN when login from an external network with a Pass-cookie?

“Yes”, according to the “Test Policy Group”, users possessing a Pass-cookie will be able to login from an external network without entering OTP PIN.

Step 1 – Connect to the internet outside the corporate network.

Step 2 – Login to any cloud service

You will be granted access if you fulfill one of the conditions below:

1）Connecting from an internal network or

2）Possessing a Pass-Cookie

Because the test user has previously been granted a Pass-cookie in the company network, the test user will not be asked to enter an OTP PIN in order to access.

If the “Test Policy Group” has the following configuration:

If “has_pass:true” was replaced with “false”, the only OTP-free condition will be connecting from the corporate network.

A4. Can I Access the OTP Settings interface?

“Yes”, according to the “Test Policy Group”, the user “test” has the special permission to access the OTP settings interface (login_name:test).